InPage Zero Day Used in Attacks Against Banks

A zero-day vulnerability in InPage publishing software used primarily in Urdu, Pashto and Arabic-speaking nations has been publicly exploited in attacks against financial institutions and government agencies in the region.

While there are more than 10 million InPage users in Pakistan and India alone, there are a significant number of users in the U.S., U.K. and across Europe as well.

Researchers at Kaspersky Lab today disclosed the vulnerability after a number of attempts to privately report the bug to InPage were ignored.

“We have informed the vendor of the affected software of the existence of the vulnerability, but have received no reply, while the attacks continue,” Kaspersky Lab said in a statement. “We have also informed the Indian CERT and received the reply that the organization’s specialists are looking into the issue.”

Kaspersky Lab said it’s possible a number of criminal or nation-state actors are using this exploit since it has recorded several different attacks against banks in Asia and Africa, as well as others targeting government agencies. The exploit is spreading via phishing campaigns, and was discovered during a separate investigation in September.

It was then when Kaspersky Lab researchers found a file with a .inp extension that was analyzed and found to contain shellcode inside a Microsoft OLE file, a file format that has been used in a number of Office exploits dating back to 2009. The researchers detected a number of different payloads and command and control servers used in the respective attacks. A list of C2 servers and indicators of compromised has been published as well.

Kaspersky Lab’s analysis of some of the emails shows that the attackers used other exploits using .rtf and .doc files in conjunction with the InPage exploit. The attacks dropped different versions of particular keyloggers and backdoors on victims’ machines. The vulnerability in question is in a parser in the main InPage module.

“The parser in the software’s main module ‘inpage.exe’ contains a vulnerability when parsing certain fields,” Kaspersky Lab said. “By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution.”

The shellcode found in the document first looks for certain patterns in virtual memory space before launching a decoder that obtains an instruction pointer and decrypts the next stage of the attack. At that point, a downloader grabs and executes the payload.

Kaspersky Lab researchers said the attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea. Researchers at FireEye last year found such an attack and linked the payloads and command and control infrastructure used to North Korea.

“Despite our attempts, we haven’t been able to get in touch with the InPage developers,” Kaspersky Lab said. “By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems.”